A vulnerability was found in Mozilla Firefox (the affected version is unknown) and classified as problematic. This issue affects an unknown code of the component Network Security Services. The manipulation with an unknown input leads to a observable response discrepancy vulnerability. Using CWE to declare the problem leads to CWE-204. The product provides different responses to incoming requests in a way that reveals internal state information to an unauthorized actor outside of the intended control sphere. Impacted is confidentiality. The summary by CVE is:

NSS was susceptible to a timing side-channel attack when performing RSA decryption. This attack could potentially allow an attacker to recover the private data. This vulnerability affects Firefox < 124, Firefox ESR < 115.9, and Thunderbird < 115.9.

The advisory is shared at mozilla.org. The identification of this vulnerability is CVE-2023-5388 since 10/04/2023. The exploitation is known to be difficult. The attack may be initiated remotely. No form of authentication is needed for a successful exploitation. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 03/19/2024). MITRE ATT&CK project uses the attack technique T1592 for this issue.

Upgrading eliminates this vulnerability. The upgrade is hosted for download at mozilla.org.

Entries connected to this vulnerability are available at VDB-257265, VDB-257266, VDB-257267 and VDB-257268.

Productinfo

Type

• Web Browser

Vendor

• Mozilla

Name

• Firefox

License

• open-source

CPE 2.3info

• 🔒

CPE 2.2info

• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

Discussion